Insecure Vodafone femtocells allow eavesdropping, call fraud

Femtocells are used by mobile operators to boost signals and improve the …

Hackers have reverse engineered the femtocells used by British mobile operator Vodafone, and discovered that they can be used to eavesdrop on callers and used to fraudulently place calls and send text messages. Femtocells are being used increasingly often to provide better phone reception in areas with a weak signal. They contain short-range mobile base stations—typically with a range of 30-60 feet—paired up with Internet connections. Users within the range of the femtocell have their calls routed over a home Internet connection to the mobile operator's system.

Vodafone calls its femtocells Sure Signal. The Sure Signal costs £50, and supports up to 32 phone numbers belonging to 3G phones or Internet dongles. They can be used by any Vodafone customer, whether contracted or pay-as-you-go, with an Internet connection of 1Mbps or faster.

Security research group The Hacker's Choice took a look at how the Vodafone femtocells worked, and have discovered that they're both poorly secured and fundamentally poorly designed. A little soldering enables access to the femtocell's serial console, which is secured only by a weak, fixed password. From there, network access can be enabled, custom software can be installed and run, tamper detection can be disabled, and most significantly of all, the phone network can be attacked. The unit runs Linux, so it offers a familiar environment and easy development of custom software.

Femtocells incorporate 3G UMTS hardware, to which phones connect. UMTS connections are encrypted, which normally prevents casual eavesdropping or other misbehavior, but with the Vodafone femtocells that encryption is decrypted within the femtocell itself. The femtocell then sends the decrypted data down an encrypted connection to Vodafone's central servers. Though the encrypted connection means that the call can't be eavesdropped on by someone on the same LAN as the femtocell, the decrypted data within the femtocell itself is vulnerable and exposed to software on the femtocell. And since, thanks to the weak passwords and susceptibility to physical tampering, it's possible to install software on the femtocell that records all conversations sent through the device.

Normally femtocells are secured such that only their owners' phones will communicate with them. Vodafone's femtocell is no exception; owners have to register their phones on Vodafone's website, and each time the femtocell boots, Vodafone's network provides it with a list of phones that it's permitted to talk to. Unfortunately, this configuration too can be altered by hackers—it's just stored within an XML file on the device's filesystem—and so the femtocell can be configured to communicate with any Vodafone handset within range and allow eavesdropping on any calls placed.

Once a phone has connected to the femtocell, custom software can pull off other tricks, too. It can make outbound calls and send SMSes using the identity—and billing—of the phone, allowing the owner of the femtocell to masquerade as their unsuspecting victim.

Though this makes femtocells extremely useful for the maliciously inclined, there are limits to what can be done. When the femtocell has captured a phone that hasn't been registered online, Vodafone won't route inbound text messages or voice calls to that phone. Only outbound connections can be spied on or created. Fraudulent calls and texts can only be made while the victim phone is connected to the femtocell, too—Vodafone's network needs to authenticate with the phone's SIM card prior to making a call, so if the phone is no longer in range, that authentication can't take place.

Nonetheless, this allows all manner of mischief—and could readily be targeted to allow eavesdropping on specific individuals with neither their knowledge nor their consent.

Extending the network and compromising security

The GSM Alliance, the industry body that creates the cellular telephony standards that femtocells use, is well aware of the kind of attacks that can be made against femtocells. A 2008 document, "Security Issues in Femtocell Deployment," describes a range of risks, including the dangers of having the decrypted conversations accessible within the unit, and warns implementers that "Unprotected data must not be accessible inside the FAP for reading or modification/spoofing." Plainly Vodafone has not heeded that advice.

Though removing easy serial access and using secure passwords would make it a little harder to abuse the cellular access points in this way, the fundamental design—terminating the UMTS encrypted channel in a readily modifiable piece of hardware installed within users' own homes—is probably not securable. The decision to use the familiar Linux operating system for the unit's firmware certainly makes tampering easier—both because people know how to use it, and because it makes the runtime environment readily modifiable—but even if the hardware used some locked-down, single-purpose custom firmware, the possibility of attacking that decrypted data would remain.

However, this design is by no means unique to Vodafone. Although femtocells could be created that merely passed through the UMTS connection, with the encrypted channel being terminated within the safety of the network operator's own systems, the GSMA security document notes that "some, if not all" femtocells have this same basic design. Other femtocells used by other mobile operators are likely susceptible to the same attacks.

Further investigation might yield additional attacks. The femtocell has access to Vodafone's internal network, and it may be possible to abuse this access to harm the network in some way.

Femtocells are now a common part of mobile operators' hardware line-up. They're the preferred solution for boosting signal in otherwise hard-to-reach areas, and many operators now offer them to extend the reach and reliability of their networks. In Vodafone's case, at least, they're also compromising the security of their network and putting their customers at risk of abuse.

We've asked Vodafone for comment on the hack, but received none at the time of publication.

Update: Vodafone has made a statement on its forum, saying that the flaw was fixed in a software update made last year. It doesn't specify what this fix is, nor if the flawed design has been altered.